Pages

Friday, July 24, 2015

Where will payment hackers go post-EMV?

Right now, in the midst of summertime—school vacation, camping trips, beach days—it’s hard for anyone to imagine Oct. 1. But it’s top of mind for retailers, which will experience a shift in liability, from credit card companies and banks to themselves, whenever a credit card is compromised by fraud if they haven't updated their systems to be EMV-compliant.

All retailers should have their EMV (which stands for Europay, MasterCard, Visa) point-of-sales systems ready to go on Oct. 1 to handle the new credit cards that are far more difficult to hack.

Until then, U.S. consumers are blithely swiping their credit cards and debit cards with magnetic strips holding access to their money, their good credit, and even their personal information. These simple magnetic strips have been compared to an eight-track cassette and are fairly porous to data-sucking thieves.

New EMV cards will have a shiny metallic square containing a more secure chip and most can also use Near-Field Communications to make a payment. The new POS systems are expected to be much safer than their predecessors, helping retailers prevent the kind of massive fraud that have infamously compromised the payment systems at Home Depot, Target, Neiman Marcus, Michaels, and others.

But hackers aren’t just going to disappear after this switch to EMV cards and POS systems that accept them. And it’s safe to guess that they’ll likely go online.

Retailers are unprepared for online fraud

While omnichannel retailers may be preoccupied with preparing for Oct. 1, they may not be prepared for what experts say is the inevitable shift to online payment fraud. The good news is that, if a retailer is hit, it can be a sign of business success.

“If someone hits you, it’s a bittersweet moment, that you’re big enough that someone wants to take advantage of you and your many transactions,” Jason Tan, CEO and founder of fraud detection company Sift Science, told Retail Dive. “The trouble is, as long as you keep growing and your business is thriving you’re always going to see fraud.”

The reality is that online fraud will jump, and retailers by and large aren’t ready for that. That could mean a new season of breach stories and a different kind of nightmare.

“Offline merchants are generally prepared because it’s mandated by the credit card companies and they have a big liability shift coming,” Tan says. “I don’t think the online merchant is that prepared because human nature is to procrastinate. In other countries the year after the EMV mandate, online merchants saw two times the fraud. That’s a massive massive jump in fraud — so how do you how install a defense mechanism so that doesn't keep you up at night?”

The good news: The technology is here

While EMV technology has been employed for a while abroad, it’s just now arriving in the states. But the technology to tackle and prevent online fraud is here now. Tan notes that Sift Science tackles fraud issues using machine learning behavior technology with APIs and advanced modeling to track, score, and categorize online transactions.

Using such algorithm-based systems, Tan says, is far superior to the human-led, human-dependent rules-based systems that most retailers use now.

“There are too many orders from manual review that require a full time staff, and, worse, they’re not accurate,” he says. “You want to be able to stop the bad users, but let in the good customers easily.”

Convenience remains important

That's it, of course: the key is to find effective technology keeps data safe without overly inconveniencing shoppers. Making checkout too difficult is a recipe for cart abandonment.

It’s a disaster when hackers find their way onto a retailer’s site, but it can be deadly to a sale if authentic customers there to buy have to deal with awkward, time-consuming fraud prevention measures. Tan says that Amazon is an example of a company that uses technology extremely effectively, and knows how to keep the checkout system humming smoothing for its fraud-free customers.

The bad news: Trouble's still lurking

It’s easily forgotten that a major pipeline to online fraud is the telephone. Unscrupulous retail or hotel employees often obtain credit card numbers over the phone during a sale or customer service transaction and sell them for use online, Laurence Cooke, founder and CEO of loyalty and payment platform nanoPay, told Retail Dive.

“It’s so much easier to steal a card when you’re being read the card numbers on the phone,” Cooke says. “What doesn’t go away with EMV is that cards are captured on phone orders or catalog orders, and then they get used online.”

EMV transactions will be palpably slower than credit card swipes are now, which might prompt people to use contactless payments.

“When you use a mobile app,” Cooke says, “it’s a more secure way, but as easy as swiping or tapping.”

That means that the switch to EMV, and the resulting added risk of online fraud, have a good chance of boosting the adoption of mobile payments, Cooke believes.

And if retailers are smart enough to take advantage of mobile’s data collection capabilities and streamline their online systems in ways like those Tan describes, they will also be able to develop more effective loyalty programs. That in turn could move mobile payment adoption even more swiftly.

Indeed, while Tan gives Amazon credit for its ability to quickly nab dubious payments, Cooke similarly gives the e-retail giant props for its loyalty program. The two things turn out to be tightly connected.

“The reason Amazon beats Wal-mart isn’t because they have better supply chain or better options,” Cooke says. “It’s that Amazon knows everything about you and Wal-Mart knows nothing about you. Wal-Mart may have discounts, but they may not be relevant to you at all.”

If retailers want to, they could leverage mobile to help make payments more secure and, in turn, help them get to know their customers in the same way.

NFC, Apple Pay, Android—doesn’t matter

“I don’t think Apple Pay can be completely successful everywhere without Android also being completely successful,” he says. “My only opinion is that it should be up to retailers to choose. We shouldn’t try to force it.”

The bottom line

Above all, retailers need to realize that there’s no magic fraud protection in EMV, or in mobile payments, or machine learning for that matter.

"I don’t think it’s black and white— I don’t think you’re either secure or not," Tan says, "The hackers and the fraudsters are always working.”